Homelab<\/h2>\n
We have a CentOS 7 VM installed which we want to configure as a Graylog server:<\/p>\n
syslog.hl.local (10.11.1.14) \u2013 Graylog\/Elasticsearch\/MongoDB with Apache frontend<\/p>\n
SELinux set to enforcing mode.<\/p>\n
See the image below to identify the homelab part this article applies to.<\/p>\n
![\"\"](\"https:\/\/www.lisenet.com\/wp-content\/uploads\/2018\/04\/lisenet-homelab-diagram_syslog.png\")
<\/p>\n
Configuration with Puppet<\/h2>\n
Puppet master runs on the Katello<\/a> server.<\/p>\n We use graylog-graylog<\/a> Puppet module to configure the server. The module only manages Graylog itself. We need other modules to install the required dependencies like Java, MongoDB, Elasticsearch and Apache (as a reverse proxy):<\/p>\n Please see each module\u2019s documentation for features supported and configuration options available.<\/p>\n Repositories for Graylog, Elasticsearch and MongoDB are provided by Katello (we configured them here<\/a>).<\/p>\n Note that Graylog 2.4 does not work with Elasticsearch 6.x, we\u2019ll therefore use Elasticsearch 5.x.<\/p>\n class { ‘mongodb::globals’: class { ‘elasticsearch’: include ::java<\/p>\n class { ‘graylog::server’: The content of the file syslog_inputs.sh can be seen below.<\/p>\n We create two Graylog inputs, one for syslog to bind to UDP 1514, and one for GELF. See the section below for port redirection from UDP 514 to UDP 1514 as Graylog cannot bind to UDP 514 unless run as root.<\/p>\n #!\/bin\/bash GRAYLOG_INPUT_SYSLOG_UDP=’ GRAYLOG_INPUT_GELF_UDP=’ curl -s -X POST -H “Content-Type: application\/json” -d “$” $ >\/dev\/null; exit 0;<\/p>\n Configure firewall to allow WebUI, syslog and GELF traffic. Also configure port redirection as Graylog cannot bind to UDP 514 unless run as root.<\/p>\n firewall { ‘007 allow Graylog HTTP\/S’: Install Apache as a reverse proxy for Graylog.<\/p>\n class { ‘apache’: apache::vhost { ‘graylog_http’: We want to configure all homelab servers to forward syslog to Graylog.<\/p>\n This needs to go in to the main environment manifest file \/etc\/puppetlabs\/code\/environments\/homelab\/manifests\/site.pp so that configuration is applied to all servers.<\/p>\n class { ‘rsyslog::client’: The result should be something like this:<\/p>\n All servers forward logs to Graylog.<\/p>\nPuppet Modules<\/h3>\n
\n
Katello Repositories<\/h3>\n
Install MongoDB<\/h3>\n
\n## Use Katello repository<\/em>
\nmanage_package_repo => false,
\n}->
\nclass { ‘mongodb::server’:
\nensure => ‘present’,
\nrestart => true,
\nbind_ip => [‘127.0.0.1’],
\nport => 27017,
\nsmallfiles => true,
\n}<\/p>\nInstall Elasticsearch<\/h3>\n
\nensure => ‘present’,
\nstatus => ‘enabled’,
\n## Use Katello repository<\/em>
\nmanage_repo => false,
\nrestart_on_change => true,
\n}->
\nelasticsearch::instance { ‘graylog’:
\nconfig => {
\n‘cluster.name’ => ‘graylog’,
\n‘network.host’ => ‘127.0.0.1’,
\n},
\njvm_options => [
\n‘-Xms512m’,
\n‘-Xmx512m’
\n]
\n}<\/p>\nInstall Java and Graylog<\/h3>\n
\nenable => true,
\nensure => ‘running’,
\nconfig => {
\n‘is_master’ => true,
\n‘password_secret’ => ‘3jC93bTD…OS7F7H87O’,
\n‘root_password_sha2’ => ‘008e3a245354b…f0d9913325f26b’,
\n‘web_enable’ => true,
\n‘web_listen_uri’ => ‘http:\/\/syslog.hl.local:9000\/’,
\n‘rest_listen_uri’ => ‘http:\/\/syslog.hl.local:9000\/api\/’,
\n‘rest_transport_uri’ => ‘http:\/\/syslog.hl.local:9000\/api\/’,
\n‘root_timezone’ => ‘GMT’,
\n}
\n}->
\n##
\n## Use a script to automatically create
\n## UDP Syslog\/GELF inputs via Graylog API.
\n##<\/em>
\nfile { ‘\/root\/syslog_inputs.sh’:
\nensure => file,
\nsource => ‘puppet:\/\/\/homelab_files\/syslog_inputs.sh’,
\nowner => ‘0’,
\ngroup => ‘0’,
\nmode => ‘0700’,
\nnotify => Exec[‘create_syslog_inputs’],
\n}
\nexec {‘create_syslog_inputs’:
\ncommand => ‘\/root\/syslog_inputs.sh’,
\nrefreshonly => true,
\n}<\/p>\n
\nGRAYLOG_URL=”http:\/\/admin:[email protected]<\/a>:9000\/api\/system\/inputs”;<\/p>\n
\n{
\n“global”: “true”,
\n“title”: “Syslog UDP”,
\n“configuration”: {
\n“port”: 1514,
\n“bind_address”: “0.0.0.0”
\n},
\n“type”: “org.graylog2.inputs.syslog.udp.SyslogUDPInput”
\n}’;<\/p>\n
\n{
\n“global”: “true”,
\n“title”: “Gelf UDP”,
\n“configuration”: {
\n“port”: 12201,
\n“bind_address”: “0.0.0.0”
\n},
\n“type”: “org.graylog2.inputs.gelf.udp.GELFUDPInput”
\n}’;<\/p>\n
\ncurl -s -X POST -H “Content-Type: application\/json” -d “$” $ >\/dev\/null;<\/p>\nConfigure Firewall<\/h3>\n
\ndport => [80, 443, 9000],
\nsource => ‘10.11.1.0\/24’,
\nproto => tcp,
\naction => accept,
\n}->
\nfirewall { ‘008 allow Syslog’:
\ndport => [‘514’, ‘1514’],
\nsource => ‘10.11.1.0\/24’,
\nproto => udp,
\naction => accept,
\n}->
\nfirewall { ‘009 redirect Syslog 514 to Graylog 1514’:
\nchain => ‘PREROUTING’,
\njump => ‘REDIRECT’,
\nproto => ‘udp’,
\ndport => ‘514’,
\ntoports => ‘1514’,
\ntable => ‘nat’,
\n}->
\nfirewall { ‘010 allow Gelf’:
\ndport => [‘12201’],
\nsource => ‘10.11.1.0\/24’,
\nproto => udp,
\naction => accept,
\n}<\/p>\nApache Reverse Proxy with TLS<\/h3>\n
\ndefault_vhost => false,
\ndefault_ssl_vhost => false,
\ndefault_mods => false,
\nmpm_module => ‘prefork’,
\nserver_signature => ‘Off’,
\nserver_tokens => ‘Prod’,
\ntrace_enable => ‘Off’,
\n}
\ninclude apache::mod::proxy
\ninclude apache::mod::proxy_http
\ninclude apache::mod::rewrite
\ninclude apache::mod::ssl
\ninclude apache::mod::headers<\/p>\n
\nport => 80,
\nservername => ‘syslog.hl.local’,
\nrewrites => [
\n{ rewrite_rule => [‘(.*) https:\/\/%%’],
\nrewrite_cond => [‘% off’],
\n},
\n],
\ndocroot => false,
\nmanage_docroot => false,
\nsuphp_engine => ‘off’,
\n}
\napache::vhost { ‘graylog_https’:
\nport => 443,
\nservername => ‘syslog.hl.local’,
\ndocroot => false,
\nmanage_docroot => false,
\nsuphp_engine => ‘off’,
\nssl => true,
\nssl_cert => ‘\/etc\/pki\/tls\/certs\/hl.crt’,
\nssl_key => ‘\/etc\/pki\/tls\/private\/hl.key’,
\nssl_protocol => [‘all’, ‘-SSLv2’, ‘-SSLv3’],
\nssl_cipher => ‘HIGH:!aNULL!MD5:!RC4’,
\nssl_honorcipherorder => ‘On’,
\n## Pass a string of custom configuration directives<\/em>
\ncustom_fragment => ‘
\nProxyRequests Off
\n<Proxy *>
\nRequire ip 10.11.1.0\/24
\n<\/Proxy>
\n<Location \/>
\nRequestHeader set X-Graylog-Server-URL “https:\/\/syslog.hl.local\/api\/”
\nProxyPass http:\/\/syslog.hl.local:9000\/
\nProxyPassReverse http:\/\/syslog.hl.local:9000\/
\n<\/Location>
\n‘,
\n}<\/p>\nConfigure Log Forwarding on All Servers<\/h2>\n
\nlog_remote => true,
\nlog_local => true,
\nremote_servers => false,
\nserver => ‘syslog.hl.local’,
\nport => ‘1514’,
\nremote_type => ‘udp’,
\nremote_forward_format => ‘RSYSLOG_SyslogProtocol23Format’,
\n}<\/p>\n![\"\"](\"https:\/\/www.lisenet.com\/wp-content\/uploads\/2018\/03\/lisenet-homelab-graylog.png\")
<\/p>\n